![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(156.8, 33%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EUR%3C/text%3E%3C/svg%3E)
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
8,500 questions
@Umer Rashid It seems like you are trying to access a key vault from your Docker Compose app running in an Azure App Service with system-assigned managed identity enabled. The error message you are seeing indicates that the app is unable to authenticate using the available credentials. To troubleshoot this issue, you can try the following steps:
- Make sure that the managed identity of your App Service has been granted access to the key vault and has the appropriate permissions. You can check this by going to the Access policies tab in the Azure portal and verifying that the managed identity is listed with the correct role.
- Make sure that your Docker Compose app is running with the correct environment variables. You can set the environment variables for your app in the Docker Compose file or in the Azure portal. The environment variables should include the following:
-
AZURE_CLIENT_ID: The client ID of the managed identity. -
AZURE_CLIENT_SECRET: The client secret of the managed identity. This is not required for system-assigned managed identities. -
AZURE_TENANT_ID: The tenant ID of the Azure AD directory that the managed identity belongs to. -
AZURE_MANAGED_IDENTITY_ENDPOINT: The endpoint for the managed identity service. This is not required for system-assigned managed identities.
-
- Make sure that your Docker Compose app is using the correct Azure SDK version and that the SDK is configured to use the managed identity. You can use the
DefaultAzureCredentialclass from the Azure SDK to authenticate with the managed identity. Here's an example of how you can use theDefaultAzureCredentialclass to authenticate with the managed identity:
const { DefaultAzureCredential } = require("@azure/identity");
const { SecretClient } = require("@azure/keyvault-secrets");
const credential = new DefaultAzureCredential();
const vaultName = "<your-key-vault-name>";
const url = `https://${vaultName}.vault.azure.net`;
const client = new SecretClient(url, credential);
const secretName = "<your-secret-name>";
const secret = await client.getSecret(secretName);
console.log(`The value of ${secretName} is ${secret.value}.`);
You are correct that system-assigned managed identities are not supported with multi-container web apps in Azure App Service. In this case, using a service principal is a recommended approach to access Key Vault from a Docker Compose web app. To use a service principal to access Key Vault from a Docker Compose web app, you can follow the steps outlined in the article you mentioned. Here's a summary of the steps: Create a service principal in Azure AD and grant it access to the Key Vault. Store the service principal's credentials in the environment file of your Docker Compose app. Use the Azure SDK to authenticate with the service principal and access the Key Vault secrets.
Here's an example of how you can use the Azure SDK to authenticate with the service principal and access the Key Vault secrets:
const { ClientSecretCredential } = require("@azure/identity");
const { SecretClient } = require("@azure/keyvault-secrets");
const clientId = "<your-service-principal-client-id>";
const clientSecret = "<your-service-principal-client-secret>";
const tenantId = "<your-tenant-id>";
const vaultName = "<your-key-vault-name>";
const url = `https://${vaultName}.vault.azure.net`;
const credential = new ClientSecretCredential(tenantId, clientId, clientSecret);
const client = new SecretClient(url, credential);
const secretName = "<your-secret-name>";
const secret = await client.getSecret(secretName);
console.log(`The value of ${secretName} is ${secret.value}.`);
